public
/
docs
5
0
Fork 0
Code Issues 8 Pull Requests 1 Packages Projects Releases Wiki Activity

Compare commits

base: public:feat/use-mini-quorum
Branches Tags
public:main
public:feat/use-mini-quorum
public:feat/export-namespace-mnemonic
public:feat/decrypt-namespace-secret
public:feat/encrypt-wallet-to-namespace
public:feat/encryption-key-generation
public:feat/tamper-proofing-chain-of-custody
public:coding-standards
public:feat/quorum-kms
..
compare: public:main
Branches Tags
public:main
public:feat/use-mini-quorum
public:feat/export-namespace-mnemonic
public:feat/decrypt-namespace-secret
public:feat/encrypt-wallet-to-namespace
public:feat/encryption-key-generation
public:feat/tamper-proofing-chain-of-custody
public:coding-standards
public:feat/quorum-kms

4 Commits
feat/use-m ... main

Author SHA1 Message Date
Anton Livaja 1472b7c608
Merge branch 'feat/use-mini-quorum' 2025-02-05 09:37:24 -05:00
Anton Livaja 9ad10d3817
add steps to git basic doc 2025-02-04 00:15:22 -05:00
Anton Livaja 1b7ef27167
add git commit instructions 2025-02-04 00:06:03 -05:00
Anton Livaja 7c64592348
modularize operator ceremonies 2025-02-03 23:46:01 -05:00
8 changed files with 72 additions and 50 deletions
Show Stats Expand all files Collapse all files

2
quorum-vault-system/src/component-documents/finding-device-name.md
View File

@ -1,6 +1,6 @@
/* ANCHOR: all */
// ANCHOR: content
Look for your SD card device name (`<device_name>`) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
Look for your SD card device name (`<device_name>`) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX` or `/dev/mmcblk<num>`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`)
* You may mount the device using: `sudo mount /dev/<your_device> media/`
// ANCHOR_END: content
/* ANCHOR_END: all */

27
quorum-vault-system/src/component-documents/git-basics.md Normal file
View File

@ -0,0 +1,27 @@
/* ANCHOR: all */
// ANCHOR: content
1. Connect SD card to online machine
1. {{ #include finding-device-name.md:content }}
1. Copy files into designated location in a repository:
* e.g `cp /dev/<your_device> ~/<repository_name>/<path_to_location>`
1. Add all files to git stage:
* `git add .`
1. Review what files are staged:
* `git status`
1. Create a signed commit:
* `git commit -m -S "<message>"`
1. Push the changes to the branch you are on:
* `git push origin HEAD`
// ANCHOR_END: content
/* ANCHOR_END: all */

32
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md
View File

@ -10,21 +10,7 @@
## Procedure
1. Enter the designated location with required personnel and equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Retrieve Air-Gapped Bundle and polaroid tamper evidence from locked storage
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all materials except for the laptop into High Visibility Storage
1. Retrieve AirgapOS SD card from High Visibility Storage and plug it into air-gapped laptop
1. Turn on the machine
1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
{{ #include template-ceremony-setup.md:content }}
1. Retrieve Ceremony SD Card from High Visibility Storage and plug it into the machine
@ -34,11 +20,11 @@
* Copy the contents of the card to machine:
* `cp -r /media/<device_name>/* ~`
* `cp -r /media/<device_name>/vaults /root/`
1. Start `keyfork` using the relevant Shardfile:
* `keyfork recover shard --daemon /media/<device_name>/path/to/shardfile.asc`
* `keyfork recover shard --daemon /root/vaults/<namespace>/shardfile.asc`
* Follow on screen prompts
@ -50,4 +36,14 @@
* `sq decrypt --recipient-file secret_key.asc < encrypted.asc --output decrypted`
1. Proceed to transfer the secret (`decrypted`) to desired location such as hardware wallet, power washed chromebook (via SD card) etc.
1. Proceed to transfer the secret (`decrypted`) to desired location such as hardware wallet, power washed chromebook (via SD card) etc.
1. Shut down the air gapped machine
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer
* AirgapOS SD card
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

4
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md
View File

@ -14,11 +14,11 @@ Procedure for importing an arbitrary secret (raw key, mnemonic, state secrets) i
* If not on a computer, but a hardware wallet or otherwise, perform the steps on a air-gapped machine
1. Load the OpenPGP certificate:
1. Encrypt the secret to certificate:
* `sq encrypt --for-file <certificate> <file_to_encrypt> --output encrypted.asc` TODO: sq needs to be added to airgapOS
1. Once encrypted, name the file appropriately and add it to an `artifacts/` directory in the appropriate namespace subdirectory in the `vaults` repository
{{ #include ../../../../component-documents/git-basics.md:content }}

4
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md
View File

@ -36,7 +36,7 @@
* {{ #include ../../../../component-documents/finding-device-name.md:content }}
* `keyfork shard combine /media/<device_name>/shard.asc | keyfork-mnemonic-from-seed`
* `keyfork shard combine /media/<device_name>/shard.asc | keyfork-mnemonic-from-seed > mnemonic.txt`
1. Follow on screen prompts
@ -48,6 +48,8 @@
1. Put the mnemonic on an SD card for transport or use `cat` command to output it in the terminal for entry into a hardware wallet or otherwise
* WARNING: if displaying on screen, ensure nothing else can see the mnemonic. It is recommended to cover the operator and the machine with a blanket to obstruct the view of the screen.
1. Shut down the air gapped machine
1. Gather all the original items that were in the air-gapped bundle:

16
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md
View File

@ -14,19 +14,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
## Procedure
1. Enter the designated location with the operators and all required equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Retrieve Air-Gapped Bundle and polaroid tamper evidence from locked storage
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Plug the AirgapOS SD card into the laptop
1. Turn on the machine
1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
{{ #include template-ceremony-setup.md:content }}
1. Plug the Ceremony SD card into the machine
@ -64,6 +52,8 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Upload the newly generated artifacts into the `vaults` repository
{{ #include ../../../../component-documents/git-basics.md:content }}
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer

18
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md
View File

@ -14,21 +14,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
## Procedure
1. Enter the designated location with required personnel and equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Retrieve Air-Gapped Bundle and polaroid tamper evidence from locked storage
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all materials except for the laptop into High Visibility Storage
1. Retrieve AirgapOS SD card from High Visibility Storage and plug it into air-gapped laptop
1. Turn on the machine
1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
{{ #include template-ceremony-setup.md:content }}
1. Run the relevant keyfork wizard to perform the ceremony:
@ -67,6 +53,8 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and upload the newly generated artifacts into the `vaults` repository in the appropriate `<namespace>` sub directory using an online machine
{{ #include ../../../../component-documents/git-basics.md:content }}
1. Gather all the original items that were in the air-gapped bundle:
* Air-gapped computer

19
quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/template-ceremony-setup.md Normal file
View File

@ -0,0 +1,19 @@
/* ANCHOR: all */
// ANCHOR: content
1. Enter the designated location with required personnel and equipment
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
1. Retrieve Air-Gapped Bundle and polaroid tamper evidence from locked storage
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all materials except for the laptop into High Visibility Storage
1. Retrieve AirgapOS SD card from High Visibility Storage and plug it into air-gapped laptop
1. Turn on the machine
1. Once booted, remove the AirgapOS SD card and place it into High Visibility Storage
// ANCHOR_END: content
/* ANCHOR_END: all */